Content Security Policy

The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page.

We recommend using the nonce-based approach documented with CSP3 ↗. Make sure to include your nonce in the api.js script tag and we will handle the rest. Cloudflare Turnstile works with strict-dynamic.

Alternatively, add the following values to your CSP header:

script-src: https://challenges.cloudflare.com
frame-src: https://challenges.cloudflare.com

We recommend validating your CSP with Google's CSP Evaluator ↗.

Pre-clearance support

If you are using Turnstile in pre-clearance mode, Turnstile sets the cf_clearance cookie by doing a fetch request to a special endpoint in /cdn-cgi/ of your domain.

For this request to succeed, your connect-src directive must include 'self'.

Was this helpful?

Resources
API
New to Cloudflare?
Directory
Sponsorships
Open Source

Support
Help Center
System Status
Compliance
GDPR

Company
cloudflare.com
Our team
Careers

Tools
Cloudflare Radar
Speed Test
Is BGP Safe Yet?
RPKI Toolkit
Certificate Transparency

Community
X
Discord
YouTube
GitHub

Privacy Policy
Terms of Use
Report Security Issues
Trademark